Scott Godes' blog about insurance coverage for policyholders, risk managers, and in house counsel.

Menu

Monthly Archives:
October 2011

A massive cyberattack that led to a vulnerability in RSA’s SecurID tags earlier this year also victimized Google, Facebook, Microsoft and many other big-named companies, according to a new analysis released this week.

Security experts have said that RSA wasn’t the only corporation victimized in the attack, and that dozens of other multinational companies were infiltrated using many of the same tools and Internet infrastructure.

This is in line with comments from others, including this quote from Digital Forensic Investigator News, that “2011 has quickly become the year of the cyber attack.” Would your insurance policies cover those events? Beyond the denial of service attacks that made news headlines, a shocking “80 percent of respondents” in a survey of “200 IT security execs” “have faced large scale denial of service attacks,” according to a ZDNet story.[1] These attacks and threats do not appear to be on a downward trend. They continue to be in the news after cyberattacks allegedly took place against “U.S. government Web sites – including those of the White House and the State Department –” over the July 4, 2009 holiday weekend.[2] The alleged attacks were not only against government sites; they allegedly included, “according to a cyber-security specialist who has been tracking the incidents, . . . those run by the New York Stock Exchange, Nasdaq, The Washington Post, Amazon.com and MarketWatch.”[3] The more recent ZDNet survey shows that a quarter of respondents faced denial of service attacks on a weekly or even daily basis, with cyberextortion threats being made as well.[4]

Denial of Service Attacks

The cyberattacks that have stolen recent headlines were denial of service incidents. Personnel from “CERT® Program,” which “is part of the federally funded Software Engineering Institute (SEI), a federally funded research and development center at Carnegie Mellon University in Pittsburgh, Pennsylvania,” have explained:

Denial of service attacks come in a variety of forms and aim at a variety of services. There are three basic types of attack:

Some attacks are comparable to “tak[ing] an ax to a piece of hardware” and are known as “so-called permanent denial-of-service (PDOS) attack[s].”[6] If a system suffers such an attack, which also has been called “pure hardware sabotage,” it “requires replacement or reinstallation of hardware.”[7]

What Insurance Coverage Might Apply?

The first place to look for insurance coverage for a denial of service attack is a cybersecurity policy. The market for cybersecurity policies has been called the Wild West of insurance marketplaces. Cyber security and data breach policies, certain forms of which may be known as Network Risk, Cyber-Liability, Privacy and Security, or Media Liability insurance, are relatively new to the marketplace and are ever-changing. The Insurance Services Office, Inc., which designs and seeks regulatory approval for many insurance policy forms and language, has a standard insurance form called the “Internet Liability and Network Protection Policy,” and insurance companies may base their coverages on this basic insuring agreement, or they may provide their own company-worded policy form. Because of the variety of coverages being offered, a careful review of the policy form before a claim hits is critical to understand whether the cyberpolicy will provide coverage, and, if it will, how much coverage is available for the event. If your company does make a claim under a cyberpolicy, engaging experienced coverage counsel who is familiar with coverage for cybersecurity claims will help get the claim covered properly and fight an insurance company’s attempt to deny the claim or otherwise improperly try to limit coverage that is due under the policy.

If your company faces a denial of service cyberattack and suffers losses as a result, but your company has not purchased a specialized suite of policies marketed as cyber security policies, coverage nonetheless may be available under other insurance policies. In addition, other insurance policies may provide coverage that overlaps with a cyberinsurance policy. Consider whether first party all risk or property coverage may apply. First party all risk policies typically provide coverage for the policyholder’s losses due to property damage. If the denial of service cyberattack caused physical damage to your company’s servers or hard drives, your company’s first party all risk insurer should not have a credible argument that there was no property damage. Even if the damage is limited to data and software, however, it may be argued that the loss is covered under your company’s first party all risk policy, as some courts have found that damage to data and software consists of property damage.[8]

First party policies may also provide coverage for extra expense, business interruption, and contingent business interruption losses due to a cyberattack. (Contingent business interruption losses may include losses that the policyholder faces arising out of a cyber security-based business interruption of another party, such as a cloud provider, network host, or others.)[9]

Look also to other first party coverages, such as crime and fidelity policies, to determine whether there may be coverage for losses due to a cyberattack. In particular, crime policies may have endorsements, such as computer fraud endorsements, that may cover losses from a denial of service cyberattack.[10]

If, after a cyberattack, third parties seek to hold your company responsible for their alleged losses, consider whether your company’s liability policies would provide coverage. More importantly, consider your company’s commercial general liability (CGL) insurance policy, if your company does not have a specialized cyber liability policy. If your company did buy a cyberinsurance policy, there is coverage under a CGL policy (and others) that may overlap the coverage in a cyberinsurance policy, providing your company with additional limits of insurance coverage available for the claim.

The first coverage provided in a standard-form CGL insurance policy covers liability for property damage. Similar to the analysis above for first party all risk policies, if there was damage to servers or hard drives, insurers should not be heard to argue that there was no property damage. Courts are divided as to whether damage to data or software alone consists of property damage under insurance policies, with some courts recognizing that “the computer data in question ‘was physical, had an actual physical location, occupied space and was capable of being physically damaged and destroyed’” and that such lost data was covered under a CGL policy.[11] Be aware, however, that the insurance industry has revised many CGL policies to include definitions giving insurers stronger arguments that damage to data and software will not be considered property damage. But also note that your company’s CGL policy may have endorsements that provide coverage specifically for damage to data and software.[12] Consider further whether a claim would fall within the property damage coverage for loss of use of tangible property—loss of use of servers and hard drives because of the cyberattack; loss of use of computers arising out of alleged software and data-based causes has been held sufficient to trigger a CGL policy’s property damage coverage.[13]

Keep in mind that if there is a claim for property damage under a CGL policy, there may be coverage for obligations that your company has under indemnity agreements. Standard form CGL policies provide coverage for indemnity agreements.[14]

Depending on the types of claims asserted, other liability policies may be triggered as well. For example, directors and officers liability policies may provide coverage for investigation costs,[15] and errors and omissions policies also may cover, if the cybersecurity claims may be considered to be within the definition of “wrongful act.”[16] The takeaway for companies suffering from a cyberattack is that a careful review of all policies held by the insured is warranted to make certain that the most comprehensive coverage may be pursued.

Cybersecurity and Data Breach Policies The market for cybersecurity policies has been called the Wild West of insurance marketplaces. Such policies are relatively new to the marketplace and are constantly changing. Specific policies for cybersecurity and data breach have been known as Network Risk, Cyberliability, Privacy and Security or Media Liability insurance. The Insurance Services Office, Inc., which designs and seeks regulatory approval for many insurance policy forms and language, has a standard insurance form called the Internet Liability and Network Protection Policy, and insurance companies may base their coverages on this basic insuring agreement or they may provide their own company-worded policy form. Because these policies are frequently updated and changed, it is important to compare the coverages offered across companies and within a company’s offerings.

Traditional Forms of Insurance Although it is ideal to purchase a policy designed specifically for cybersecurity risks, more traditional forms of insurance may also provide overlapping coverage for data breaches and cyberrisks, depending on the particular coverage terms and exclusions in the individual policy. Coverage may be provided by the following types of policies: commercial general liability; first-party property and business interruption; directors and officers or errors and omissions; crime; kidnap, ransom and extortion. Insurance companies, however, have been fighting their obligations to pay claims for cyber-related loss under such traditional insurance policies. A major insurer recently sued a corporate policyholder in New York, asking the court to rule that traditional insurance policies do not cover a series of high-profile data breaches, cyberattacks and cyberrisks.

Making a Claim for Coverage If a cyberevent occurs, such as a data breach, then it is vital that risk managers, technology managers and privacy managers work together to seek recovery under all potentially available insurance policies. It is recomended that policyholders send notice of the claim or occurrence to all potentially applicable insurers, whether under a special cybersecurity policy or under the more traditional forms of insurance. After an insurance claim is tendered to insurers, they may raise various defenses to coverage. Companies, however, should not assume that such defenses will defeat coverage. Whether an event is covered will often depend on careful analysis of the specific policy language involved, the facts of a company’s particular losses and the law of the applicable jurisdiction. Insurance carriers may take a hard line regarding the application of the exclusions in their policies. For example, under certain insurance policies, there is coverage for property damage and insurers have asserted that there has been no property damage as a result of a cyberattack. Technology managers, however, may be able to assist the company in marshalling evidence to prove that a cyberattack has damaged the company’s computer equipment, or that there has been a loss of use of computer equipment (another way of demonstrating property damage under certain insurance policies). Technology managers should stay involved throughout the insurance recovery process to help assure that any representations and statements about the company’s technology and the cyberevent are accurate and properly characterized.

Beyond in-house technology personnel, companies that have sustained losses due to a data breach or cyberattack should consider speaking with an attorney who represents policyholders and has familiarity with this area. Because of the assistance of such lawyers, some policyholders have been able to obtain substantial recovery even after the insurer initially denied the policyholder’s claim.

Scott Godes and Kenneth Trotter are attorneys with Dickstein Shapiro LLP who devote a significant portion of their practice to the representation of policyholders in complex insurance disputes with insurance companies. They may be reached at godess@dicksteinshapiro.com or trotterk@dicksteinshapiro.com. This information is general and educational and is not legal advice. For more information, please visit www.hospitalitylawyer.com.

Thank you to the Hospitality Upgrade website for permission to use this article.

This article appeared on the Hospitality Upgrade website on 1 October 2011—link to article:

It is no secret that the hospitality industry continues to be vulnerable to data breaches and other cyberattacks. . . .

Cybersecurity risks can cause a company to incur significant loss or liability. A data breach could result in the loss of important and sensitive customer information and, in some cyberevents, stolen company funds. Companies also may face liabilities to third parties under statutory and regulatory schemes, incurring costs to mitigate, remediate and comply with the liability under these statutes. Worse still, class action lawsuits have been filed around the country after data breaches, with plaintiffs alleging, among others, the loss of the value of their personal information, identity theft, invasion of privacy, negligence or contractual liability. . . .

Many businesses in the hospitality industry have undertaken important steps to reduce the likelihood of cyberattacks and to protect data and confidential information. Such measures are important, but equally important is understanding what insurance policies those companies have, or could purchase, to cover loss or liability associated with a data breach or other cyberattack. . . .

Is your company an additional insured under another company’s insurance policies? Does your company issue certificates of insurance? Do you deal with indemnity agreements? Do you know whether indemnity agreements are covered by insurance? Would you like to learn the answers to these questions? Of course you would.

You’d like to hear about this from a commercial litigator and insurance coverage attorneys, wouldn’t you?

Plus, you’d like CLE credit for listening, wouldn’t you?

Well, say no more!

If you’re looking for all of that and more, organized and hosted by my good friends at HB Litigation Conferences, please join me for the:

Register Now!

*This is valid for only one connection per firm/company location. Multiple attendees can listen in to the conference on that one connection for no additional charge (an additional CLE fee of $25 per additional listener will apply for those pursuing CLE credit, names required in advance). If more than one connection is used, you will be billed after the conference $169 per each additional connection used.

2011 has been an unprecedented year of data compromise, exposure and harm to organizations large and small. At the CyberCrime 2011 Symposium, you’ll learn what’s being done – and what you can do – to detect, deter, and defeat cybercriminals causing mayhem around the world.

Join us on November 3 and 4 and learn from the experts about the latest threats coming from today’s smart and subversive cybercriminals. You’ll gain essential knowledge to help your organization protect itself – and its customers – against sophisticated malware, spiteful hacktivists, and financially motivated cybercrime.

Now in its second year, theCyberCrime 2011 Symposium is THE must-attend conference for any financial, healthcare or governmental professional involved in operations, compliance, security or information services. Seats are limited – be sure to reserve yours now.

Here are the highlights, from the conference website:

Conference Highlights:

50 Days of Mayhem: What We Can (and Should) Learn from LulzSec – How a small band of “hacktivists” caused (and are still causing) sleepless nights for security professionals around the world…and how we should have been able to stop them.

The Malware Behind the RSA Breach and other Advanced Persistent Threats – Joe Stewart of Dell SecureWorks reveals how the APT/cyber-espionage behind the breach of RSA last spring can be traced back to an attack originating in China.

Krebs on Security: ZeuS, Thieves and Money Mules –Award-winning blogger and columnist Brian Krebs returns to the Symposium with the dinner keynote detailing the latest exploits of organized cybercrime.

Learn from the Mistakes of Others: Be Better Prepared to Combat Security Risks to Your Organization – Trends, recommendations and insights from the 2011 Verizon Data Breach Investigations Report.

What You Need to Know Before It Happens to You– An expert panel of forensic, legal and industry experts discuss what it takes to minimize the impact of a malicious external attack, an insider threat, a vendor compromise or an accidental exposure.

I’m a “featured speaker” at the event. My session will be:

Cyber Insurance: Will You Be Covered if Your Company Suffers a Cyber Event?
The price tag on corporate data breaches is soaring. Does Cyber Risk Insurance make sense for your organization? Cyber Insurance policies generally cover third-party liability – e.g. suits filed by customers whose accounts have been hacked; direct costs – e.g. notification letters sent to affected customers; and, increasingly, fines and penalties associated with data breaches. This session will focus on what policy holders should be looking for in Cyber and Data Security Coverage and how to avoid potential pitfalls.

Like this:

Disclaimer

This blog is for informational purposes only. This may be considered attorney advertising in some states. The opinions on this blog do not necessarily reflect those of the author's law firm and/or the author's past and/or current clients. By reading it, no attorney-client relationship is formed. If you want legal advice, please retain an attorney licensed in your jurisdiction.

NOTE THAT ANY CASE DECISIONS, COURT OPINIONS, RULINGS, AND/OR RESULTS DEPEND UPON A VARIETY OF FACTORS UNIQUE TO EACH CASE.

CASE RESULTS DO NOT GUARANTEE OR PREDICT A SIMILAR RESULT IN ANY FUTURE CASE UNDERTAKEN BY THE LAWYER.

About the Corporate Insurance Blog

Welcome to The Corporate Insurance Blog. This blog is for corporate policyholders, risk managers, and in-house counsel who deal with insurance policies, programs, purchases, renewals, claims, and recovery.